VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-7zeq-ub3v-s3he

Essentials
Severities (36)
References (13)
Severity details (33)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-7zeq-ub3v-s3he
Aliases	CVE-2023-48220 GHSA-w3q8-m492-4pwp
Summary	Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the `devise_invitable` gem, the invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. This issue creates vulnerable dependencies starting in version 0.0.1.alpha3 and prior to versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems. When using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited. The only check done is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period. Decidim sets this configuration to `2.weeks` so this configuration should be respected. The bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available. `devise_invitable` to version `2.0.9` and above fix this issue. Versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems contain this fix. As a workaround, invitations can be cancelled directly from the database.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-672	Operation on a Resource after Expiration or Release
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00584	https://api.first.org/data/v1/epss?cve=CVE-2023-48220
epss	0.00584	https://api.first.org/data/v1/epss?cve=CVE-2023-48220
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-w3q8-m492-4pwp
cvssv3.1	5.7	https://github.com/decidim/decidim
generic_textual	MODERATE	https://github.com/decidim/decidim
cvssv3.1	5.7	https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134
generic_textual	MODERATE	https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134
ssvc	Track	https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134
cvssv3.1	5.7	https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34
generic_textual	MODERATE	https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34
ssvc	Track	https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34
cvssv3.1	5.7	https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454
generic_textual	MODERATE	https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454
ssvc	Track	https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454
cvssv3.1	5.7	https://github.com/decidim/decidim/releases/tag/v0.26.9
generic_textual	MODERATE	https://github.com/decidim/decidim/releases/tag/v0.26.9
ssvc	Track	https://github.com/decidim/decidim/releases/tag/v0.26.9
cvssv3.1	5.7	https://github.com/decidim/decidim/releases/tag/v0.27.5
generic_textual	MODERATE	https://github.com/decidim/decidim/releases/tag/v0.27.5
ssvc	Track	https://github.com/decidim/decidim/releases/tag/v0.27.5
cvssv3.1	5.7	https://github.com/decidim/decidim/releases/tag/v0.28.0
generic_textual	MODERATE	https://github.com/decidim/decidim/releases/tag/v0.28.0
ssvc	Track	https://github.com/decidim/decidim/releases/tag/v0.28.0
cvssv3	5.7	https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp
cvssv3.1	5.7	https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp
cvssv3.1_qr	MODERATE	https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp
generic_textual	MODERATE	https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp
ssvc	Track	https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp
cvssv3.1	5.7	https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198
generic_textual	MODERATE	https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198
ssvc	Track	https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198
cvssv3.1	5.7	https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098
generic_textual	MODERATE	https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098
ssvc	Track	https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098
cvssv3.1	5.7	https://nvd.nist.gov/vuln/detail/CVE-2023-48220
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2023-48220

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-48220
		https://github.com/decidim/decidim
073e60e2e4224dd81815a784002ebba30f2ebb34		https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34
94d859c7de0829bf63f679ae5dd3cab2b866a098		https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098
b12800717a689c295a9ea680a38ca9f823d2c454		https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454
CVE-2023-48220		https://nvd.nist.gov/vuln/detail/CVE-2023-48220
devise.rb#L134		https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134
GHSA-w3q8-m492-4pwp		https://github.com/advisories/GHSA-w3q8-m492-4pwp
GHSA-w3q8-m492-4pwp		https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp
models.rb#L198		https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198
v0.26.9		https://github.com/decidim/decidim/releases/tag/v0.26.9
v0.27.5		https://github.com/decidim/decidim/releases/tag/v0.27.5
v0.28.0		https://github.com/decidim/decidim/releases/tag/v0.28.0

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/decidim/decidim

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T15:23:30Z/ Found at https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T15:23:30Z/ Found at https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T15:23:30Z/ Found at https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/decidim/decidim/releases/tag/v0.26.9

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T15:23:30Z/ Found at https://github.com/decidim/decidim/releases/tag/v0.26.9

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/decidim/decidim/releases/tag/v0.27.5

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T15:23:30Z/ Found at https://github.com/decidim/decidim/releases/tag/v0.27.5

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/decidim/decidim/releases/tag/v0.28.0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T15:23:30Z/ Found at https://github.com/decidim/decidim/releases/tag/v0.28.0

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T15:23:30Z/ Found at https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T15:23:30Z/ Found at https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T15:23:30Z/ Found at https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-48220

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.69519
EPSS Score	0.00584
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T17:27:58.258438+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2023/48xxx/CVE-2023-48220.json	38.6.0